Skip to content

fix: add type safety to res.location to prevent encodeUrl crash#6947

Closed
ST4RKJR wants to merge 1 commit intoexpressjs:masterfrom
ST4RKJR:fix/res-json-return
Closed

fix: add type safety to res.location to prevent encodeUrl crash#6947
ST4RKJR wants to merge 1 commit intoexpressjs:masterfrom
ST4RKJR:fix/res-json-return

Conversation

@ST4RKJR
Copy link

@ST4RKJR ST4RKJR commented Dec 4, 2025

res.location() currently passes the value directly into encodeUrl(url).
If url is not a string (e.g., null, undefined, numbers, objects), this
causes a TypeError and crashes the response.

This PR adds a small input guard that normalizes the value using
String(url ?? ''), ensuring encodeUrl always receives a valid string
and preventing runtime crashes.

This is a code-only, backward-compatible safety improvement.

@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

Hi maintainers 👋
This PR adds a small safety improvement to res.location() to prevent encodeUrl() from throwing on non-string input.
Happy to update anything if needed. Thanks for reviewing!

@krzysdz
Copy link
Contributor

krzysdz commented Dec 4, 2025

So now invalid inputs will be quietly ignored without a trace? That doesn't sound like a good idea. While I understand that getting errors is annoying, it is much easier to debug problems if they are clearly signalled.

@ST4RKJR ST4RKJR force-pushed the fix/res-json-return branch from 9d7347e to d007023 Compare December 4, 2025 11:50
@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

So now invalid inputs will be quietly ignored without a trace? That doesn't sound like a good idea. While I understand that getting errors is annoying, it is much easier to debug problems if they are clearly signalled.

Thanks for the feedback! You're right — silently coercing invalid values
could hide mistakes and make debugging harder. I updated the PR to throw
a descriptive TypeError instead when res.location() receives a
non-string value. This makes the behavior explicit and avoids unexpected
silent failures.

Happy to adjust further if needed!

@ST4RKJR ST4RKJR force-pushed the fix/res-json-return branch from d007023 to af9bfbd Compare December 4, 2025 11:56
@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

Thanks for the feedback — the previous version was too strict and didn't
match existing Express behavior. I've updated res.location() to:

  • accept URL instances,
  • coerce all non-string inputs using String(),
  • avoid silent ignoring of invalid values,
  • and maintain backward compatibility.

This now aligns with the expectations in test/res.location.js.

bjohansebas
bjohansebas requested changes Dec 11, 2025
View reviewed changes
Copy link
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution, but we already have another PR (#6404) ready for this change, which will be released for Express v6. It's not necessary to add tests for a deprecation

Also, please don’t make style changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjohansebas bjohansebas bjohansebas requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ST4RKJR @krzysdz @bjohansebas